patch for ssh-agent

patch for ssh-agent

[Luke Kenneth Casson Leighton]

[-- Attachment #1: Type: text/plain, Size: 458 bytes --]

absolutely clueless as to what this is for, but at least it gets
rid of the audit warnings, which were bugging me.

l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


[-- Attachment #2: ssh_agent --]
[-- Type: text/plain, Size: 1077 bytes --]

diff -Naur 
--- default.1.14/macros/program/ssh_agent_macros.te	2004-08-02 08:28:37.000000000 +0100
+++ current/macros/program/ssh_agent_macros.te	2004-08-14 23:34:48.000000000 +0100
@@ -86,7 +86,10 @@
 
 ifdef(`xdm.te', `
 allow $1_ssh_agent_t xdm_t:fd { use };
-allow $1_ssh_agent_t xdm_t:fifo_file { write };
+allow $1_ssh_agent_t xdm_t:fifo_file { read write };
+
+# kdm: sigchld
+allow $1_ssh_agent_t xdm_t:process { sigchld };
 ')
 
 #
@@ -103,5 +106,17 @@
 allow $1_ssh_t $1_tmp_t:sock_file write;
 allow $1_ssh_t $1_t:unix_stream_socket connectto;
 allow $1_ssh_t sshd_t:unix_stream_socket connectto;
+
+dontaudit $1_ssh_agent_t selinux_config_t:file { getattr read };
+	#EXE=/usr/bin/ssh-agent  NAME=config   :  read
+	#EXE=/usr/bin/ssh-agent  PATH=/etc/selinux/config   :  getattr
+
+allow $1_ssh_agent_t self:dir { search };
+	#EXE=/usr/bin/ssh-agent  NAME=2971   :  search
+
+allow $1_ssh_agent_t self:file { getattr read };
+	#EXE=/usr/bin/ssh-agent  NAME=mounts   :  read
+	#EXE=/usr/bin/ssh-agent  PATH=/proc/2971/mounts   :  getattr
+
 ')dnl end if ssh_agent
 

Re: patch for ssh-agent

[Stephen Smalley]

On Mon, 2004-08-23 at 17:59, Luke Kenneth Casson Leighton wrote:
> absolutely clueless as to what this is for, but at least it gets
> rid of the audit warnings, which were bugging me.

libselinux constructors try to:
- determine where selinuxfs is mounted via /proc/self/mounts for future
use in libselinux calls that act on selinuxfs,
- determine where the "active" policy is located via /etc/selinux/config
for future use in libselinux calls that act on policy files.

As a result, anything that links with libselinux will trigger these
access attempts upon startup, even if the program never subsequently
invokes any libselinux calls that would act on selinuxfs or a policy
file.  If you know the program isn't using such calls, then you can just
dontaudit these rules.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: patch for ssh-agent

[Luke Kenneth Casson Leighton]

On Tue, Aug 24, 2004 at 07:21:41AM -0400, Stephen Smalley wrote:
> On Mon, 2004-08-23 at 17:59, Luke Kenneth Casson Leighton wrote:
> > absolutely clueless as to what this is for, but at least it gets
> > rid of the audit warnings, which were bugging me.
> 
> libselinux constructors try to:
> - determine where selinuxfs is mounted via /proc/self/mounts for future
> use in libselinux calls that act on selinuxfs,
> - determine where the "active" policy is located via /etc/selinux/config
> for future use in libselinux calls that act on policy files.
> 
> As a result, anything that links with libselinux will trigger these
> access attempts upon startup, even if the program never subsequently
> invokes any libselinux calls that would act on selinuxfs or a policy
> file.  If you know the program isn't using such calls, then you can just
> dontaudit these rules.
 
 oo.  okay.
 
 well, i added dontaudit for ssh-agent and well it seems to be okay.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: patch for ssh-agent

[Russell Coker]

On Tue, 24 Aug 2004 07:59, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> absolutely clueless as to what this is for, but at least it gets
> rid of the audit warnings, which were bugging me.

Are you running in permissive mode?  The below line should prevent any 
selinux_config_t:file access unless the file handle is being inherited from 
kdm (in which case it would be a kdm bug and we don't want to hide it with a 
dontaudit).

dontaudit $1_ssh_agent_t selinux_config_t:dir { search };


-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.